After a ServiceBinding is created, the connection secret temporarily contains a raw attribute.credentials key with the full JSON blob, instead of the expected flattened individual keys (clientid, clientsecret, sm_url, etc.).

This happens because flattenSecretData is called in the Observe path but not in the Create path. Since the controller uses synchronous TF apply (useAsync=false), Create returns connection details immediately — unflattened. The secret is corrected on the next reconcile when Observe runs, but any consumer reading the secret in between sees the wrong format.